How to navigate your way to stronger cyber resilience

The report explains that many organizations are finding it hard to implement company-wide security policies. Can you outline some of the key challenges they’re facing and how they could overcome these?

Implementing consistent security policies across the business can be a technical challenge but is often also a cultural one. For example, some business leaders can be reluctant to enforce security practices that might appear inconvenient or restrictive. Some employees might resist controls such as ‘just-in-time’ or ‘least privilege’ access to certain applications or data, especially if they’ve had open access before.

Some employees might not be aware of security policies, unsure whether they apply to their systems or roles, or believe that their area should be an exception. Such misunderstandings can lead to confusion and resistance and ultimately get in the way of effective implementation, increasing organizational risk.

The more open and transparent business and security leaders can be with employees about what the policies are, who they apply to and why they matter, the easier it will be. These conversations promote understanding and cooperation, especially if they are supported by regular training. It is important to be responsive to change and to regularly review and update security policies, so they are aligned with evolving threats and business requirements.

Every organization's risk profile is different – how can organizations best prioritize the risks they need to manage?

To manage risk effectively, an organization needs to understand both the level of risk it faces and the level of protection it is willing to invest in.

Organizations have a different appetite for risk, some will accept a higher level of exposure in return for greater access and flexibility, others will want to lock almost everything down – most fall somewhere in between.

To understand the risk level, you need to identify the circumstances and events that could harm your operations, assets, employees, and others. What assets do you have, where are they, who has access to them? What are your most important assets for maintaining business continuity and operations? What risks do they face? Once you know this, you need to consider the likelihood that these risks will occur and their potential impact.

You can then decide on the level of protection you want and need, and which risks need priority attention. Not every company has all the security resources, tools, and processes it needs on day one, and risk levels change over time. A roadmap approach and a centralized risk register will help you to keep track of your organization's risks and enable informed decision-making about managing or mitigating them.

What are the best practices for developing and testing robust incident response strategies, and what are the common pitfalls to avoid?

A robust incident response plan should apply across the business. It should consider how incidents will be contained and neutralized, the maximum downtime your critical systems can sustain, and whether there are manual processes you can revert to if needed. It needs to address how customers could be impacted, the service levels you are committed to, and the regulatory compliance demands. Don’t forget about internal communications to staff and external communications to customers, partners, and the press.

Incident response plans need to be adapted as circumstances change. New technologies, new markets, regulatory changes, and more all need to be factored in.

They also need to be tested. You can do this by, for example, targeting your own organization with a ‘purple team’ approach or through a table-top exercise.

Purple teams manage and co-ordinate incident response simulations, creating scenarios where a ‘red team’ can launch a mock incident to which a ‘blue team’ then responds. Such simulations help companies to improve their ability to detect, respond to, mitigate, and learn from security incidents.

A table-top exercise is a simulated cyber incident, minus the actual damage, impact and cost. The most effective table-tops are controlled, scenario-based exercises where key stakeholders, such as IT personnel, security teams, business and functional leaders, come together to work through and evaluate their combined response to a hypothetical security incident.

If an organization doesn’t have a plan for what to do if a security incident takes place, they risk finding themselves in the precarious position of not knowing how to react to events, and consequently doing nothing or the wrong thing.

The report also shows that just over a third of the smaller companies worry that senior management doesn’t see cyberattacks as a significant risk. How can they get greater buy-in from their management team on the importance of cyber risks?

It’s important to understand that this is not a question of management failure. It is hard for business leaders to engage with or care about something they don’t fully understand. The onus is on security professionals to speak in a language that business leaders understand. They need to be storytellers and be able to explain how to protect brand reputation through proactive, multi-faceted defense programs.

Every business leader understands the concept of risk. If in doubt, present cybersecurity threats, challenges, and opportunities in terms of how they relate to business risk. For example, what would or could happen to business operations, revenue, and brand reputation in the event of a cyber-breach and what investments are needed to manage risk so that this doesn’t happen?

We've featured the best business VPN.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro